Notes:

Not a traditional RBAC model.
Roles are only used to assign domains to users, not to directly grant permissions.
But unlike traditional RBAC, SELinux RBAC/TE hybrid allows confinement of malicious and flawed programs using domains.